Indian Computer Emergency Response Team (CERT-In) issues warning of critical vulnerability in Microsoft products, posing security risk

OnMSFT Staff OnMSFT Staff
2 min read

As reported by OdishaTV, a new security concern involving certain Microsoft products has been highlighted by the Indian Computer Emergency Response Team (CERT-In).

The recently discovered vulnerability affects Microsoft Office and Windows HTML, enabling potential attackers to execute code remotely without physical access.

The vulnerability, identified and reported by CERT-In, allows unauthorized individuals to exploit the system and gain control over the affected device. This poses a significant risk to data security, potentially exposing sensitive information.

Several versions of Microsoft products are affected by this vulnerability, including:

  • Windows 10 (x64-based, 32-bit, and 22H2 versions)
  • Windows 11 (22H2 and ARM64-based versions)
  • Windows Server 2022 and 2019
  • Windows 10 (Version 21H2 and 1809)
  • Microsoft Word (2013 Service Pack 1 and 2016 editions)
  • Microsoft Office LTSC 2021 and 2019
  • Windows Server 2012, 2008 R2, and 2008
  • Windows Server 2016
  • Windows 10 (Version 1607)
  • Windows Server 2012 R2
  • Microsoft Office 2019

The vulnerability within Microsoft Office and Windows HTML stems from inadequate validation of user-provided input during cross-protocol file navigation.

An attacker must persuade a victim to open a specifically crafted file to exploit this vulnerability. Through this weakness, the attacker can execute arbitrary code remotely, jeopardizing the security and reliability of the targeted system.

To mitigate the associated risks, CERT-In recommends the following crucial measures:

  1. Users who have Microsoft Defender for Office installed are already protected against attachments attempting to exploit this vulnerability.
  2. Enabling the “Block all Office applications from creating child processes” Attack Surface Reduction Rule is strongly advised, as it effectively thwarts the exploitation of this vulnerability.

For organizations unable to implement these protections, CERT-In suggests adding the following application names as REG_DWORD values, each with a data value of 1, to the designated registry key:

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe

By following these recommendations, users, and organizations can proactively address the risks posed by the Microsoft Office and Windows HTML vulnerability, enhancing their overall security posture.

Share this article:

Related Articles

Chrome tests Google Drive file uploads in the AI Mode compose box

April 14, 2026
Gemini image creation using right click desktop Chrome

Chrome lets you remake images with Gemini on desktop using just a right-click

April 13, 2026
Samsung Display crosses 5 million QD-OLED monitor shipments as demand grows fast, with new panels and strong premium market expansion worldwide.

Samsung Display Ships 5 Million QD-OLED Monitor Panels in Four Years

April 9, 2026

Leave a Comment

Your email address will not be published. Required fields are marked *